continuity planning

Trending towards Resiliency

Another way to look at business continuity planning is to take an even broader or holistic look at your organization through the lens of resiliency.  To be resilient, an organization needs to understand their risks and exposures.  A quick definition of Business Resiliency is:

…the ability an organization has to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and overall brand equity. Business resilience goes a step beyond disaster recovery by offering post-disaster strategies to avoid costly downtime, shore up vulnerabilities and maintain business operations in the face of additional, unexpected breaches. 

Business Resiliency consists of multiple interdependent components, such as Risk Management, Business Continuity, and Disaster Recovery.

Each component requires:

  • a strategy.
  • a set of objectives.
  • a plan of action.
With these, you ability to recover from disruptions greatly improves.  If you omit one of these three pieces, you're ability to recover will be hindered, 

Remember, the effort to prepare for resiliency, continuity, and recovery is not just about creating a plan you may never use.

It is about ensuring the livelihood of your company in the event of a disaster, and your ability to react.

ISO 22301 Business Continuity Management

ISO 22301 Business Continuity Management provides a framework for establishing a business continuity management system.   Too many organizations have historically looked at the creation of a business continuity plan as a singular step in being organizationally prepared for those what-if scenarios.  Way too often, these fancy plans, printed and distributed, become nothing more than "shelfware" and become obsolete in a small matter of time. 

Culturally, the importance of establishing a management system can not be stressed enough.  Once the plan becomes out-of-date, its effectiveness reduces dramatically.

A few years ago, I was reviewing a plan for a new client.  In one section, they had a back-up procedure that stated the following steps:
1.  Every Friday, Mary will copy the contents of the S: network drive to a CD.
2. Mary will label the CD with date/time of the back-up and then store the CD in her basement for safe keeping.
3. In the event the S: drive's contents need to be recovered, Mary will retrieve the proper CD, deliver to the IT group, and have the needed data recovered.

Putting aside the issues with this basic approach, this was their process...

In reviewing this section, I was met with a lot of blank stares and sheepish looks.  As it turned out, Mary had left the company three months prior to the review.  Not only were the previous back-up copies not retrieved from her basement, no back-ups had been performed since her departure.

This is a perfect example where the plan had been crafted, but the overriding mangaement system was not reinforced by the organization. 

To be ready, Business Continuity is more than just a plan.  It is the cultural adaption of a mindset, it is the creation and maintenance of the plan(s), it is periodic reviews and updates to the plans, and it is the exercises to keep business continuity and resilience in the forefront of all employees' minds.

ISO-22301 is a good reference point for such a mangement system.  The article found at this link provides a great overview: